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DETAILED ACTION 



1 . Claims 1 -27 are pending. 

Claim Rejections - 35 USC § 101 

35 U.S. C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

2. Claims 24-27 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. The cited claims are directed to an access- 
request message. The claimed access-request message is an inoperative non-tangible 
data structure. Data structures not claimed as embodied in computer-readable media 
are descriptive material per se and are not statutory because they are not capable of 
causing functional change in the computer. See, e.g., Warmerdam, 33 F.3d at 1361, 31 
USPQ2d at 1760 (claim to a data structure per se held nonstatutory). The claimed data 
structure does not define any structural and functional interrelationships between the 
data structure and other claimed aspects of the invention which permit the data 
structure's functionality to be realized. 

Claim Rejections - 35 USC §112 

3. The following is a quotation of the second paragraph of 35 U.S.C. 112: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

4. Claims 1 and 5 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

5. Claim 1 is an open-ended "comprising" type claim that provides the limitations of 
a temporary randomly generated authenticator, a user password, and a message 
digest. It is unclear to the Examiner what the step of "replacing the value of the 
authenticator field" entails. It appears to implicitly provide a negative limitation of 
removing from the claim the temporary randomly generated authenticator value. 

6. Claim 5 presents the limitation "decoding the access-request message." It is 
unclear to the Examiner what data is being decoded. Examiner can find no limitation in 
a parent claim of encoded data. Claim 1 presents the limitation "executing an 
encryption algorithm," however; the encryption algorithm is operable to produce a 
message digest. A message digest is a result of a one-way function and thus decoding 
is not feasible. 

7. Claim 1 is rejected under 35 U.S.C. 112, second paragraph, as being incomplete 
for omitting essential elements, such omission amounting to a gap between the 
elements. See MPEP § 2172.01 . The omitted elements are: the informing or indication 
that the AAA server has knowledge of the temporary authenticator value. It is unclear to 
the Examiner how the AAA server would perform the step of "verifying the access- 
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request message" when the temporary authenticator value of the message has been 
replaced. 



Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

8. Claim 20 is rejected under 35 U.S.C. 102(e) as being anticipated by Hluchyj et al 
US Patent No. 6,282,193. 

9. With regards to claim 20, Hluchyj teaches authenticating an access-request 
message prior to performing user authentication of the access-request message 
(Hluchyj, column 3 lines 49-57, authentication, column 6 lines 1-19, error correction). 



Claim Rejections - 35 USC § 103 



10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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11. Claims 1-2, 8-9, 11-14, 15-18, 24-27 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Rigney et al RFC 2138 in view of Rigney et al RFC 2139. 

12. With regards to claims 1 (as best understood), 12, 14, 17-18, 24-26, Rigney RFC 
2138 teaches writing a temporary randomly generated authenticator value in an 
attribute field of an access-request message (Rigney RFC 2138, Page 11, "Request 
Authenticator" value should be unpredictable and unique), encrypting a user password 
using the temporary authenticator value (Rigney RFC 2138, Page 12, shared secret 
followed by Request Authenticator is hashed used to XOR password, 16 octect, Page 
22 Section 5.2), transmitting the final access request message to an Authentication, 
Authorization, and Accounting server (Rigney RFC 2138, Page 6, receives request), 
and verifying the access-request message by the AAA server (Rigney RFC 2138, Page 
6, validates sending client). Rigney RFC 2138 fails to teach the executing of an 
encryption algorithm to generate a message digest and the filling of fields of a request 
message. Rigney RFC 2139 teaches executing an encryption algorithm using the 
access request message having the temporary authenticator value and the encrypted 
user password to generate a message digest (Rigney, RFC 2139, Page 5, Request 
Authenticator), the access request message having an authenticator field that is filled 
with a prescribed value, generating a final access-request message by replacing the 
value of the authenticator field with the message digest (Rigney, RFC 2139, Page 5, 
Request Authenticator, MD5 hash placed in authenticator field). At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
utilize Rigney RFC 2139's method of creating message digests with Rigney's RFC 2138 
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because it offers the advantage of allowing a method of authenticating messages 
between a client and accounting server (Rigney RFC 2139 Page 5 "Authenticated). 

13. With regards to claims 2, 16, Rigney as modified teaches the prescribed value is 
a value previously defined between a foreign agent and the AAA server (Rigney, RFC 
2139, Page 5, Request Authenticator, nas and radius accounting server share a secret). 

14. With regards to claims 8, 13, 15 and 27, Rigney as modified teaches the 
randomly generated authenticator value being created differently every time a message 
is generated (Rigney RFC 2138, Page 11, "Request Authenticator" value should be 
unpredictable and unique). 

1 5. With regards to claim 9, Rigney teaches the writing of an authenticator value for 
authenticating an access-request message in an authenticator field of an access- 
request message and transmitting an access request message (Rigney RFC 2138, 
Page 11, "Request Authenticator" value should be unpredictable and unique), verifying 
the access-request message by using the authenticator value of the access-request 
message when the access-request message is received (Rigney RFC 2138, Page 6, 
validates sending client), decoding the access-request message if the access-request 
message is successfully verified (Rigney RFC 2138, Page 6, validates sending client) 

16. Claim 1 1 is rejected under 35 U.S.C. 103(a) as being unpatentable over Rigney 
et al RFC 2138 in view of Rigney et al RFC 2139, as applied to claim 9 above, and in 
further view of Morgan et al US Patent No. 6,088,799. 
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1 7. With regards to claim 1 1 , Rigney as modified teaches an encrypted user 
password written in an attribute field of an access-request message (Rigney RFC 2138, 
Page 12), but fails to teach the decrypting of the user password and comparison with a 
stored user password. Morgan teaches decrypting the user password (Morgan, column 
7 line 66 - column 8 line 16), comparing the decrypted user password and a user 
password stored in a database (Morgan, column 8 lines 4-7), determining that the user 
authentication is successful if the decrypted password and the stored user password 
are identical to each other and determining that the user authentication has failed if the 
decrypted user password and the stored user password are not identical to each other 
(Morgan, column 8 lines 7-16). At the time the invention was made, it would have been 
obvious to a person of ordinary skill in the art to utilize Morgan's password checking 
system with Rigney as modified because it offers the advantage of ensuring that only 
authenticated user's gain access to sensitive data such as encryption keys (Morgan, 
column 3 line 65 - column 4 line 7). 

Allowable Subject Matter 

18. Claims 3-7, 10, 19, 21-23 are objected to as being dependent upon a rejected 
base claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 

19. The following is a statement of reasons for the indication of allowable subject 
matter: 
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20. With regards to claims 3-7, 10, 19, 21-23, the cited claims provide limitations 
requiring "temporarily storing the contents of the authenticator field of the access- 
request message; filling the authenticator field with the prescribed value; performing an 
encrypting algorithm to obtain a message digest; and verifying the access-request 
message by comparing the temporarily stored authenticator value to the message 
digest." The cited prior art fails to specifically teach or suggest the steps of temporarily 
storing the contents of the authenticator field, re-filling the authenticator field with the 
prescribed value, and obtaining a message digest as defined in the cited claim. Thus 
the cited prior art fails to anticipate or render obvious the above-cited claims. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Andrew L. Nalven whose telephone number is 571 272 
3839. The examiner can normally be reached on Monday - Thursday 8-6, Alternate 
Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on 571 272 3838. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

Andrew Nalven 





Pavftf Y Jung 




